Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-23901

Severity CVSS v4.0:
LOW
Type:
Unavailable / Other
Publication date:
10/02/2026
Last modified:
10/02/2026

Description

Observable Timing Discrepancy vulnerability in Apache Shiro.<br /> <br /> This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.<br /> <br /> Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.<br /> <br /> Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,<br /> that a brute-force attack may be able to tell, by timing the requests only, determine if<br /> the request failed because of a non-existent user vs. wrong password.<br /> <br /> The most likely attack vector is a local attack only.<br /> Shiro security model  https://shiro.apache.org/security-model.html#username_enumeration  discusses this as well.<br /> <br /> Typically, brute force attack can be mitigated at the infrastructure level.

Impact

Vector 4.0
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:C/RE:L/U:Green CVSS v4.0 Severity and Metrics:

Base Score: 1.00 LOW
Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:C/RE:L/U:Green

Attack Vector (AV): Local
Attack Complexity (AC): High
Attack Requirements (AT): Present
Privileges Required (PR): Low
User Interaction (UI): Active
Confidentiality (VC): Low
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): Low
Integrity (SI): None
Availability (SA): None
Safety (S): Negligible
Automatable (AU): Yes
Recovery (R): Automatic
Value Density (V): Concentrated
Vulnerability Response Effort (RE): Low
Provider Urgency (U): Green

Base Score 4.0
1.00
Severity 4.0
LOW

References to Advisories, Solutions, and Tools